Signing Windows binaries on Server Core Windows Server 2019 Datacenter Edition with Visual Studio 2019 Community.
signtool.exe
was not behaving correctly (issues opening PFX file), and so we were advised to switch to PowerShell + Set-AuthenticodeSignature
.
Using the following commands:
$securepassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$pfx = Get-PfxData -FilePath $certificate -Password $securepassword
$cert = $pfx.EndEntityCertificates[0]
Set-AuthenticodeSignature -FilePath $target -Certificate $cert -HashAlgorithm "SHA256" -TimestampServer http://timestamp.digicert.com
results in a binary with the expected SHA256 signature, however, the Timestamp Signature is SHA1. Have also tried using http://timestamp.digicert.com?alg=sha256
as the server, however Set-AuthenticodeSignature
does not add the timestamp signature at all.
Since this command doesn't allow you to specify the hash of the Timestamp algorithm, how can we achieve this?
Use another RFC3161 timestamp server. For example:
-TimestampServer "http://timestamp.comodoca.com/rfc3161"
I also see this issue in Windows 10 Enterprise when trying to use -TimestampServer "http://timestamp.digicert.com?alg=sha256"
in PowerShell, despite this timestamp server working fine with signtool in the same environment.
If one flushes the local DNS cache and then observes the network interface with Wireshark, both signtool and Set-AuthenticodeSignature normally trigger a DNS lookup for the timestamp server during the signing process. This does not occur when using the DigiCert URL with Set-AuthenticodeSignature. The cmdlet seems like it may be having an issue with the ?alg=sha256
parameter and then skips the timestamp step completely.